<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Does nova (without keystone) provide any isolation across users' instances? In our deployment (which is based on code merged from trunk from about two weeks ago), we've found that one user can see another user's instances,  terminate another user's instances, etc.  Keypairs do seem to be isolated, though.<br><br>On the other hand, I tried out devstack, which uses keystone and the demo user wasn't able to see instances launched by the admin user. Is this isolation a feature of keystone, or is this some issue in our setup (e.g., set up users incorrectly, wrong flag somewhere).<br><br><br>Here's what we saw when testing this out:<br><br>Root:<br># nova-manage user create test_user1 <br># nova-manage project create test_user1 admin<br># nova-manage project add test_user1 test_user1<br># nova-manage project environment test_user1 test_user1 novarc-user1<br># nova-manage user create test_user2 <br># nova-manage project create test_user2 admin<br># nova-manage project add test_user2 test_user2<br># nova-manage project environment test_user2 test_user2 novarc-user2<br><br>test_user1:<br>test_user1@cluster ~ $ source novarc-user1<br>test_user1@cluster ~ $ euca-describe-keypairs <br>KEYPAIR<span class="Apple-tab-span" style="white-space: pre; ">  </span>user1<span class="Apple-tab-span" style="white-space: pre; ">    </span>d0:56:69:08:9b:60:e3:82:b2:7d:ee:e6:57:84:dd:65<br>test_user1@cluster ~ $ euca-run-instances -t m1.tiny -k user1 ami-0000000b <br>RESERVATION<span class="Apple-tab-span" style="white-space: pre; ">   </span>r-4a722y62<span class="Apple-tab-span" style="white-space: pre; ">       </span>test_user1<span class="Apple-tab-span" style="white-space: pre; ">       </span>default<br>INSTANCE<span class="Apple-tab-span" style="white-space: pre; ">        </span>i-00000009<span class="Apple-tab-span" style="white-space: pre; ">       </span>ami-0000000b<span class="Apple-tab-span" style="white-space: pre; ">     </span><span class="Apple-tab-span" style="white-space: pre; "> </span><span class="Apple-tab-span" style="white-space: pre; "> </span>pending<span class="Apple-tab-span" style="white-space: pre; ">  </span>user1 (test_user1, gpu1)<span class="Apple-tab-span" style="white-space: pre; "> </span>1<span class="Apple-tab-span" style="white-space: pre; ">        </span><span class="Apple-tab-span" style="white-space: pre; "> </span>m1.tiny<span class="Apple-tab-span" style="white-space: pre; ">  </span>2011-10-18T15:09:54Z<span class="Apple-tab-span" style="white-space: pre; ">     </span>nova<span class="Apple-tab-span" style="white-space: pre; ">     </span>ami-00000000<span class="Apple-tab-span" style="white-space: pre; ">     </span>ami-00000000<br>test_user1@cluster ~ $ euca-describe-instances<br>RESERVATION<span class="Apple-tab-span" style="white-space: pre; ">        </span>r-4a722y62<span class="Apple-tab-span" style="white-space: pre; ">       </span>test_user1<span class="Apple-tab-span" style="white-space: pre; ">       </span>default<br>INSTANCE<span class="Apple-tab-span" style="white-space: pre; ">        </span>i-00000009<span class="Apple-tab-span" style="white-space: pre; ">       </span>ami-0000000b<span class="Apple-tab-span" style="white-space: pre; ">     </span>10.99.1.3<span class="Apple-tab-span" style="white-space: pre; ">        </span>10.99.1.3<span class="Apple-tab-span" style="white-space: pre; ">        </span>pending<span class="Apple-tab-span" style="white-space: pre; ">  </span>user1 (test_user1, gpu1)<span class="Apple-tab-span" style="white-space: pre; "> </span>1<span class="Apple-tab-span" style="white-space: pre; ">        </span><span class="Apple-tab-span" style="white-space: pre; "> </span>m1.tiny<span class="Apple-tab-span" style="white-space: pre; ">  </span>2011-10-18T15:09:54Z<span class="Apple-tab-span" style="white-space: pre; ">     </span>nova<span class="Apple-tab-span" style="white-space: pre; ">     </span>ami-00000000<span class="Apple-tab-span" style="white-space: pre; ">     </span>ami-00000000<br><br>test_user2:<br>test_user2@cluster ~ $ source novarc-user2<br>test_user2@cluster ~ $ euca-describe-keypairs <br>test_user2@cluster ~ $ euca-describe-instances<br>RESERVATION<span class="Apple-tab-span" style="white-space: pre; ">        </span>r-4a722y62<span class="Apple-tab-span" style="white-space: pre; ">       </span>test_user1<span class="Apple-tab-span" style="white-space: pre; ">       </span>default<br>INSTANCE<span class="Apple-tab-span" style="white-space: pre; ">        </span>i-00000009<span class="Apple-tab-span" style="white-space: pre; ">       </span>ami-0000000b<span class="Apple-tab-span" style="white-space: pre; ">     </span>10.99.1.3<span class="Apple-tab-span" style="white-space: pre; ">        </span>10.99.1.3<span class="Apple-tab-span" style="white-space: pre; ">        </span>running<span class="Apple-tab-span" style="white-space: pre; ">  </span>user1 (test_user1, gpu1)<span class="Apple-tab-span" style="white-space: pre; "> </span>1<span class="Apple-tab-span" style="white-space: pre; ">        </span><span class="Apple-tab-span" style="white-space: pre; "> </span>m1.tiny<span class="Apple-tab-span" style="white-space: pre; ">  </span>2011-10-18T15:09:54Z<span class="Apple-tab-span" style="white-space: pre; ">     </span>nova<span class="Apple-tab-span" style="white-space: pre; ">     </span>ami-00000000<span class="Apple-tab-span" style="white-space: pre; ">     </span>ami-00000000<br><br><br>Lorin<br><div apple-content-edited="true">
<span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>--</div><div>Lorin Hochstein, Computer Scientist</div><div>USC Information Sciences Institute</div><div>703.812.3710</div><div><a href="http://www.east.isi.edu/~lorin">http://www.east.isi.edu/~lorin</a></div><div><br></div></div></span><br class="Apple-interchange-newline"></span><br class="Apple-interchange-newline">
</div>
<br></body></html>